· aka: MCP Environment Exposure, Subprocess Credential Inheritance, Supply Chain Secret Leak
Agentic frameworks pass the full parent process environment (os.environ.copy()) to spawned subprocesses — including MCP servers, code interpreters, and tool executors — exposing all API keys, database credentials, and cloud access tokens to untrusted or third-party code.
All environment variables accessible to the parent process are exposed to untrusted subprocesses. Supply chain attacks can silently exfiltrate credentials via HTTP callbacks.
Framework that spawns subprocesses for tool/MCP execution. Secrets stored in environment variables (standard practice).
🔒 Full defence implementations available through the NAIL SDK.